ENT-1443 Add cert role to CSR and doorman issue cert according to the cert role (#2620)

* ENT-1443 Add cert role to CSR and doorman issue cert according to the cert role (#431) * Doorman and HSM create certificate base on requested cert role specified in the certificate signing request. (cherry picked from commit 94f7392) * remove R3 corda code
2025-06-13 04:38:19 +00:00 · 2018-02-23 13:38:09 +00:00
parent c8672d373f
commit 1552e992e7
9 changed files with 177 additions and 81 deletions
--- a/node-api/src/main/kotlin/net/corda/nodeapi/internal/config/ConfigUtilities.kt
+++ b/node-api/src/main/kotlin/net/corda/nodeapi/internal/config/ConfigUtilities.kt
@ -2,10 +2,7 @@

 package net.corda.nodeapi.internal.config

-import com.typesafe.config.Config
-import com.typesafe.config.ConfigFactory
-import com.typesafe.config.ConfigUtil
-import com.typesafe.config.ConfigValueFactory
+import com.typesafe.config.*
 import net.corda.core.identity.CordaX500Name
 import net.corda.core.internal.noneOrSingle
 import net.corda.core.internal.uncheckedCast
@ -78,7 +75,12 @@ private fun Config.getSingleValue(path: String, type: KType): Any? {
        NetworkHostAndPort::class -> NetworkHostAndPort.parse(getString(path))
        Path::class -> Paths.get(getString(path))
        URL::class -> URL(getString(path))
-        CordaX500Name::class -> CordaX500Name.parse(getString(path))
+        CordaX500Name::class -> {
+            when (getValue(path).valueType()) {
+                ConfigValueType.OBJECT -> getConfig(path).parseAs()
+                else -> CordaX500Name.parse(getString(path))
+            }
+        }
        Properties::class -> getConfig(path).toProperties()
        Config::class -> getConfig(path)
        else -> if (typeClass.java.isEnum) {
--- a/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt
+++ b/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt
@ -259,13 +259,17 @@ object X509Utilities {
    private fun createCertificateSigningRequest(subject: X500Principal,
                                                email: String,
                                                keyPair: KeyPair,
-                                                signatureScheme: SignatureScheme): PKCS10CertificationRequest {
+                                                signatureScheme: SignatureScheme,
+                                                certRole: CertRole): PKCS10CertificationRequest {
        val signer = ContentSignerBuilder.build(signatureScheme, keyPair.private, Crypto.findProvider(signatureScheme.providerName))
-        return JcaPKCS10CertificationRequestBuilder(subject, keyPair.public).addAttribute(BCStyle.E, DERUTF8String(email)).build(signer)
+        return JcaPKCS10CertificationRequestBuilder(subject, keyPair.public)
+                .addAttribute(BCStyle.E, DERUTF8String(email))
+                .addAttribute(ASN1ObjectIdentifier(CordaOID.X509_EXTENSION_CORDA_ROLE), certRole)
+                .build(signer)
    }

-    fun createCertificateSigningRequest(subject: X500Principal, email: String, keyPair: KeyPair): PKCS10CertificationRequest {
-        return createCertificateSigningRequest(subject, email, keyPair, DEFAULT_TLS_SIGNATURE_SCHEME)
+    fun createCertificateSigningRequest(subject: X500Principal, email: String, keyPair: KeyPair, certRole: CertRole = CertRole.NODE_CA): PKCS10CertificationRequest {
+        return createCertificateSigningRequest(subject, email, keyPair, DEFAULT_TLS_SIGNATURE_SCHEME, certRole)
    }

    fun buildCertPath(first: X509Certificate, remaining: List<X509Certificate>): CertPath {
@ -284,19 +288,24 @@ object X509Utilities {
    }
 }

+// Assuming cert type to role is 1:1
+val CertRole.certificateType: CertificateType get() = CertificateType.values().first { it.role == this }
+
 /**
 * Convert a [X509Certificate] into Bouncycastle's [X509CertificateHolder].
 *
 * NOTE: To avoid unnecessary copying use [X509Certificate] where possible.
 */
 fun X509Certificate.toBc() = X509CertificateHolder(encoded)
+
 fun X509CertificateHolder.toJca(): X509Certificate = X509CertificateFactory().generateCertificate(encoded.inputStream())

-val CertPath.x509Certificates: List<X509Certificate> get() {
-    require(type == "X.509") { "Not an X.509 cert path: $this" }
-    // We're not mapping the list to avoid creating a new one.
-    return uncheckedCast(certificates)
-}
+val CertPath.x509Certificates: List<X509Certificate>
+    get() {
+        require(type == "X.509") { "Not an X.509 cert path: $this" }
+        // We're not mapping the list to avoid creating a new one.
+        return uncheckedCast(certificates)
+    }

 val Certificate.x509: X509Certificate get() = requireNotNull(this as? X509Certificate) { "Not an X.509 certificate: $this" }

--- a/node-api/src/test/kotlin/net/corda/nodeapi/internal/config/ConfigParsingTest.kt
+++ b/node-api/src/test/kotlin/net/corda/nodeapi/internal/config/ConfigParsingTest.kt
@ -87,10 +87,15 @@ class ConfigParsingTest {

    @Test
    fun CordaX500Name() {
+        val name1 = CordaX500Name(organisation = "Mock Party", locality = "London", country = "GB")
        testPropertyType<CordaX500NameData, CordaX500NameListData, CordaX500Name>(
-                CordaX500Name(organisation = "Mock Party", locality = "London", country = "GB"),
+                name1,
                CordaX500Name(organisation = "Mock Party 2", locality = "London", country = "GB"),
                valuesToString = true)
+
+        // Test with config object.
+        val config = config("value" to mapOf("organisation" to "Mock Party", "locality" to "London", "country" to "GB"))
+        assertThat(config.parseAs<CordaX500NameData>().value).isEqualTo(name1)
    }

    @Test
@ -273,6 +278,7 @@ class ConfigParsingTest {
    data class OldData(
            @OldConfig("oldValue")
            val newValue: String)
+
    data class DataWithCompanion(val value: Int) {
        companion object {
            @Suppress("unused")